Professional Documents
Culture Documents
Volume 31
Article 24
Issue 2 Annual Review 2016
9-25-2016
Recommended Citation
Swaroop Poudel, Internet of Things: Underlying Technologies, Interoperability, and Threats to Privacy and Security, 31 Berkeley Tech. L.J.
997 (2016).
Available at: http://scholarship.law.berkeley.edu/btlj/vol31/iss2/24
This Article is brought to you for free and open access by the Law Journals and Related Materials at Berkeley Law Scholarship Repository. It has been
accepted for inclusion in Berkeley Technology Law Journal by an authorized administrator of Berkeley Law Scholarship Repository. For more
information, please contact jcera@law.berkeley.edu.
INTERNET OF THINGS: UNDERLYING
TECHNOLOGIES, INTEROPERABILITY, AND
THREATS TO PRIVACY AND SECURITY
Swaroop Poudel
DOI: http://dx.doi.org/10.15779/Z38PK26
2016 Swaroop Poudel.
J.D. Candidate, 2017, University of California, Berkeley, School of Law.
1. See Press Release, Gartners 2014 Hype Cycle for Emerging Technologies Maps the
Journey to Digital Business, GARTNER, INC. (Aug. 11, 2014), http://www.gartner.com/
newsroom/id/2819918 [https://perma.cc/48W3-4XFH] (ranking IoT at the top of hype
cycle for emerging technologies and predicting a five to ten year full maturity period for
the market).
2. Dave Evans, The Internet of Things: How the Next Evolution of the Internet is
Changing Everything, CISCO, 3 (Apr. 2011), https://www.cisco.com/web/about/ac79/
docs/innov/IoT_IBSG_0411FINAL.pdf [https://perma.cc/DUF9-A9YY].
3. Press Release, M2M Market Will Generate $242 Billion Revenue by 2022,
STRATEGY ANALYTICS (Jan. 8, 2014), http://strategyanalytics.com/default.aspx?mod
=pressreleaseviewer&a0=5468 [https://perma.cc/BME4-V3AP].
4. Meet the Nest Thermostat, NEST, https://nest.com/thermostat/meet-nest-thermostat
[https://perma.cc/SW6W-6A8Y].
5. Id.
998 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
she moves to show her the temperature and time.6 Third, Nest features
machine learning of her habits in order to automate temperature settings.
For instance, by remembering the temperature she sets right before bedtime
and after getting up from bed in the morning, it creates a temperature-
setting schedule.7 Similarly, it will learn to turn off the heat when she leaves
home.8
The Nest thermostat is currently an example of a vendor-specific
closed-loop scheme (that is, only other Nest products can connect with it),
but IoT has the potential to unlock immense value when more devices
become interoperable with each other.9 For instance, the value to customers
would significantly increase if third-party application developers could build
on the current system to add services such as regulation of lighting and
humidity. Similarly, if the smart home is connected to a smart car, then the
smart home can turn up the heat when the car is about to approach home.
Consider another example that illustrates other potential uses and
challenges of IoT: a connected health (or a smart health) application for
smart phones and watches called Fido that is designed by a company named
Fjord.10 While current non-IoT devices can detect ones glucose level at a
point in time and recommend an appropriate insulin dose, Fido promises
several functionalities to better manage the chronic diabetic condition.11
First, Fido is device-agnostic. That is, it will work on many devices such as
smartphones and watches.12 Second, it measures and records not just
glucose level but also nutrition, stress level, sleep, and activity, and does so
either automatically or through consumer input.13 It also measures all of this
data over long periods of time. This collection of a variety of data at a
granular level via various sensors speaks to the enormous scale of IoT data
over what computers can currently collect. Third, by aggregating data from
several people, it can discern the pattern between glucose level and various
6. Id.
7. Id.
8. Id.
9. See GS1 US, Comment Letter on FTC Seeking Input on Privacy and Security
Implications of the Internet of Things, 3 (July 25, 2013), https://www.ftc.gov/policy/public
-comments/comment-00030-2 [https://perma.cc/2NDB-NZE5].
10. Eric Wicklund, Analytics and mHealth Find Common Ground, MHEALTHNEWS
(Oct. 1, 2015), http://www.mhealthnews.com/news/analytics-and-mhealth-find-common
-ground [https://perma.cc/FB48-KUAR].
11. Jeb Brack, Platform Eyes Easier Diabetes Management for 400 Million Sufferers,
PSFK (Oct. 9, 2015), http://www.psfk.com/2015/10/diabetes-management-type-1-diabetes
-platform-fjord-fido.html [https://perma.cc/GM4R-7DA2].
12. Wicklund, supra note 10.
13. Id.
2006] INTERNET OF THINGS 999
consumer habits, and thus, suggest behavioral changes to help manage that
glucose level.14 This would not be possible without enhanced data analytics
capabilities. Fourth, when a consumers glucose level goes over a safe
threshold, Fido can alert healthcare providers to enable a timely, life-saving
intervention.15 Fido shows the tremendous potential benefits of IoT, but
also presents a sobering reminder of IoTs privacy and security implications.
Health data is sensitive, and its granularity presents significant challenges
to anonymizing personal information, thereby exposing consumers to
privacy and data security risks.
Two conventional products, namely, home security systems and
electronic toll collection, show how IoT differs from similar currently
available products. A home security system utilizes various motion and
sound sensors to detect intrusion into a home, and actuators to give
automated alerts such as bells, sirens, and flashing lights.16 Further, its
components are interconnected through wired or wireless means.17
Similarly, an electronic toll collection system such as E-ZPass uses RFID
technology to authenticate a given vehicle and process automated
payments.18 What both of these systems do not have, however, is the back-
end information infrastructures necessary to create new services.19 In other
words, as this Note will explain later, there is no common services layer
upon which to add or modify functionalities once the system is put in
place.20 Further, the fairly basic and limited data they store and process fail
to capture the role of big data analytics in IoT.21 At the same time, these
examples illustrate that many of the technologies that enable IoT have been
around for some time, and it is only the convergence of these disparate
technologies as well as their rapid advancement that has helped create a
vision for IoT.
22. Perhaps the most talked about example of a future IoT product is a smart
refrigerator, which keeps track of, for instance, the number of remaining eggs in it and
alerts a consumer when eggs are about to run out. This smart refrigerator can even
automatically place orders online, and if connected to a smart scale, warn the consumer of
her most recent weight and BMI as she pulls out a pint of ice cream from the fridge. Patrick
Thibodeau, Explained: The ABCs of the Internet of Things, COMPUTERWORLD (May 6,
2014), http://www.computerworld.com/article/2488872/emerging-technology-explained
-the-abcs-of-the-internet-of-things.html [https://perma.cc/63Q8-JYML].
23. See Ian G. Smith et al., The Internet of Things 2012: New Horizons, IOT
EUROPEAN RESEARCH CLUSTER, 3539 (2012), http://www.internet-of-things-research
.eu/pdf/IERC_Cluster_Book_2012_WEB.pdf [https://perma.cc/C8BP-QZ8M] (discussing
potential applications of IoT).
24. See Thibodeau, supra note 22.
2006] INTERNET OF THINGS 1001
fit together and explains the relationship between the many different types
of companies creating IoT products.25 It also provides guidance as to how
new technologies may get incorporated into the system.
Application Layer
Device Layer
Figure 1: oneM2M Layered Model, Along With ITUs Device Layer
32. Id.
33. See AT&T, Comment Letter on FTC Seeking Input on Privacy and Security
Implications of the Internet of Things, 57 (May 31, 2013), https://www.ftc.gov/policy/
public-comments/comment-00004-2 [https://perma.cc/AG66-MZYM].
34. See id. at 5, 9.
35. See id. at 5.
36. See id.
37. See id.
38. See id. at 1011.
39. See id. at 11; The Interoperability Enabler for the Entire M2M and IoT Ecosystem,
ONEM2M, 13 (Jan. 2015), http://www.onem2m.org/images/files/oneM2M-whitepaper
-January-2015.pdf [https://perma.cc/AT7R-QU8T].
40. See ONEM2M, supra note 39, at 9.
2006] INTERNET OF THINGS 1003
heavy rainfall might cause water on the floor.49 The burgeoning demand for
microchips in the phone and tablet markets has led to cheaper and less
power-intensive sensors.50 While this holds significant promise for IoT, the
ability of sensors to collect varied data also raises privacy and data security
concerns.51
Beyond cheaper and better sensors, cheaper, faster, and more widely
available broadband Internet connectivity drives IoT expansion.52 Growing
demand from Internet subscribers over the past years has driven substantial
growth in the deployment of fixed line, cellular 3G/4G and LTE, power
line, and fiber-optic networks, which have increased available bandwidth.53
An IoT system can use these networks, for instance, to connect a smart
home system to the cloud, which can process sensor data. These networks
connect the device layer and the common services layer.
Similarly, various local communication methods are available to connect
devices with the gateway or with other devices within the device layer.
Typically, an IoT device will have a radio to send and receive wireless
communications.54 Some standards have been designed to provide Wi-Fi
communication among devices over a broad geographic range, while other
standards cover a short to medium range.55 IoT wireless protocols are meant
49. Id. Combining sensor data from various sources to produce information that is
greater than the sum of information from individual sources is called sensor fusion.
Opinion 8/2014 on the on [sic] Recent Developments on the Internet of Things, ARTICLE 29
DATA PROTECTION WORKING PARTY, 7 n.6 (Sept. 16, 2014), http://ec.europa.eu/justice/
data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223
_en.pdf [https://perma.cc/NBK5-HMA8].
50. See Sir Mark Walport, The Internet of Things: Making the Most of the
Second Digital Revolution, UK GOVT OFF. FOR SCIENCE, 15 n.3 (Dec. 2014),
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/
14-1230-internet-of-things-review.pdf [https://perma.cc/LW7G-AM5X].
51. Id. at 16.
52. Id. at 15 n.8.
53. Id.; Bernadette Johnson, How the Internet of Things Works, HOWSTUFFWORKS,
http://computer.howstuffworks.com/internet-of-things.htm/printable [https://perma.cc/
LY6T-96XW].
54. See Thibodeau, supra note 22; Johnson, supra note 53.
55. Electronic Privacy Information Center (EPIC), Comment Letter on FTC Seeking
Input on Privacy and Security Implications of the Internet of Things, 36 (June 1, 2013),
https://www.ftc.gov/policy/public-comments/comment-00011-2 [https://perma.cc/7H62
-UCLQ]. For example, the Worldwide Interoperability for Microwave Access (WiMAX)
and 802.16 Wireless Metropolitan Network (WMAN) standards broadcast over several
miles, and the 802.11p standard facilitates intelligent transport systems. Bluetooth and
Radio Frequency Identification (RFID) communication technologies can offer a range
from three to three hundred feet, whereas Near Field Communication (NFC) offers a
much shorter range of up to four inches. Because RFID communication operates through
2006] INTERNET OF THINGS 1005
to operate on low power, use low bandwidth, and work on a mesh network.56
In a mesh network, devices connect directly with one another to relay
information, enabling the network to sprawl over a wide area even though
a single device may transmit only up to 300 feet.57 Mesh networks are also
immune to the failure of any individual device.58
Advancements in the protocols used to assign Internet protocol (IP)
addresses, specifically IPv6, and the satellite-based global positioning
system (GPS) promise vast improvements in identifying and tracking IoT
devices, but raise privacy and security concerns. Whereas the older version
of the IP protocol, IPv4, ran out of its 232 addresses in 2011, IPv6 offers 2128
unique addresses.59 This enables each IoT device to have its own unique,
persistent identifier, thereby enhancing identifying and tracking capabilities
of devices across multiple networks as well as creating privacy and security
ramifications.60 Similarly, GPS can provide detailed three-dimensional
location data (latitude, longitude, and altitude) precise to within 100 feet,
time to within a millionth of a second, and velocity to within a fraction of a
mile per hour.61 This offers great tracking functionality, for instance, in
Event Data Recorders (EDR) in cars, but it also has serious privacy
implications.62
IoT is intimately connected to the notion of big data: collecting and
storing a large amount and variety of granular data in real time, and using
tags, it also gives a device a unique identifier, which helps in tracking the location and status
of the device. Id.
56. Thibodeau, supra note 22. The Z-Wave Alliance, Zigbee Alliance, and Insteon
have developed wireless mesh IoT protocols, which are not directly interoperable, but can
work together via hubs. Id.
57. See id.
58. See id.
59. EPIC, supra note 55, at 79.
60. Id.; see Thibodeau, supra note 22. Under IPv4, multiple devices in a local network
connected to the same router share the same IP address while communicating in and out
of the network, and have unique sub-addresses within the network. Consequently,
individual devices enjoy a certain degree of anonymity. EPIC, supra note 55, at 7. On the
other hand, IPv6 obviates the need for devices to share an IP address (although periodically
randomizing IP addresses and generating temporary addresses can still anonymize a
device). Id. at 8. In a smart metering system, this means that IPv6 can help track individual
appliances, but potentially also expose granular data on a customers use of appliances to
privacy and security threats. Id. at 11.
61. Global Positioning System Fact Sheet, LOS ANGELES AIR FORCE BASE (Jan. 19,
2009), http://www.losangeles.af.mil/library/factsheets/factsheet.asp?id=5325 [https://perma
.cc/29KT-TUFW].
62. EPIC, supra note 55, at 1012.
1006 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
data analytics to reveal insights from these data.63 Putting together all the
data from the device layer in a big data lake enables its analysis in the
context of other information, helping previously unseen linkages, patterns,
and inferences emerge.64 Interoperability of various IoT systems will allow
for such pooling of data.65 Society cannot realize IoTs full value proposition
if sensor data languishes in information silos, accessible only to a few
specialists.66 At the same time, storage and network limitations render
storing and transmitting all the data inefficient. Therefore, data
managementdetermining what type of data is important, what should be
transmitted immediately, what should be stored and for how long, and what
information should be discardedis essential.67 Data management
minimizes data stored and time stored, one of the principles advocated by
the Federal Trade Commission (FTC) in order to mitigate privacy and data
security risks in IoT.68
The development of cloud computing has been of paramount
importance to big data and will play a major role in the IoT infrastructure.
Instead of expanding their native infrastructures, many enterprises are
moving the storage and processing of big data to the cloud for enhanced
scalability and flexibility.69 The cloud also provides the platform for third
party app developers to build solutions, akin to an app store on mobile
phones and mirroring oneM2Ms vision of a common services layer.70
63. See Charles McLellan, The Internet of Things and Big Data: Unlocking the Power,
ZDNET (Mar. 2, 2015), http://www.zdnet.com/article/the-internet-of-things-and-big
-data-unlocking-the-power [https://perma.cc/74DW-6SKW].
64. See Drew Robb, How IoT Will Change Big Data Analytics, ENTERPRISE APPS
TODAY (Nov. 17, 2014), http://www.enterpriseappstoday.com/business-intelligence/how
-iot-will-change-big-data-analytics.html [https://perma.cc/L63S-N43C].
65. See Andy Vitus, The California Drought and Standards of IoT, TECHCRUNCH
(Oct. 17, 2015), http://techcrunch.com/2015/10/17/the-california-drought-and-standards
-of-iot [https://perma.cc/YE6L-9BF6].
66. Robb, supra note 64.
67. Id.
68. FTC, STAFF REPORT, Internet of Things: Privacy & Security in a Connected World,
3336 (Jan. 2015), https://www.ftc.gov/system/files/documents/reports/federal-trade
-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/
150127iotrpt.pdf [https://perma.cc/5D7F-F9EE].
69. See Kaushik Pal, The Impact of Internet of Things on Big Data, DATAINFORMED
(Sept. 10, 2015), http://data-informed.com/the-impact-of-internet-of-things-on-big
-data [https://perma.cc/2Z2B-2HN7].
70. See Sean Gallagher, Machine Consciousness: Big Data Analytics and the Internet of
Things, ARS TECHNICA (Mar. 24, 2015), http://arstechnica.com/information-technology/
2015/03/machine-consciousness-big-data-analytics-and-the-internet-of-things [https://perma
.cc/6293-UPPR]. GE Software CTO envisions a cloud operating system for industrial
2006] INTERNET OF THINGS 1007
analytical apps whereby companies can control access to their sensor data while leveraging
analytic software written by third party developers. Id.
71. McLellan, supra note 63.
72. Fog Computing and The Internet of Things: Extend the Cloud to Where the Things
Are, CISCO (2015), http://www.cisco.com/c/dam/en_us/solutions/trends/iot/docs/
computing-overview.pdf [https://perma.cc/Q7YA-5N74] (describing fog computing:
[t]he fog extends the cloud to be closer to the things that produce and act on IoT data.
These devices, called fog nodes, can be deployed anywhere with a network connection.).
73. See Robb, supra note 64. Likewise, in industrial applications, devices often need
to communicate and make decisions locally, as in Airbuss vision of using data analytics in
tracking the performance of a system where intelligent tools will replace humans in
manufacturing planes. GE similarly uses local analytics to change the configuration of its
wind turbines based on sensor data on, for instance, wind gust. Sean Gallagher, The Future
Is the Internet of ThingsDeal with It, ARS TECHNICA (Oct. 29, 2015),
http://arstechnica.com/unite/2015/10/the-future-is-the-internet-of-things-deal-with-it
[https://perma.cc/Z4C3-UAQZ].
74. See Gallagher, supra note 73. Gartner uses the term distributed approach to data
center management whereby multiple mini-data centers perform initial processing and
forward relevant data over WAN links to a centralized location for further analysis. See
Press Release, Gartner Says the Internet of Things Will Transform the Data Center,
GARTNER, INC. (Mar. 19, 2014), http://www.gartner.com/newsroom/id/2684616
[https://perma.cc/PYE9-FNVY].
75. Johnson, supra note 53.
76. ITUIoT, supra note 44, at 2324.
1008 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
II. INTEROPERABILITY
The IoT industry is projected to be worth hundreds of billions of dollars
in the future.88 Although vendors will offer IoT products that are vertically
integrated to varying degrees, no one company can supply all of IoTs
constituent parts and technologies. Likewise, the lack of a common services
layer will hinder horizontal interoperability, that is, prevent application
developers from utilizing existing IoT infrastructure to offer applications to
end customers. Thus IoT may not become the massive industry it is
projected to become unless its many constituting devices can interoperate,
or communicate with each other. In fact, oneM2M argues that market
projections of growth of IoT are unrealistic absent a global standardized
platform.89
The dual standards in videocassette recorders (VCRs), Sonys Betamax
and JVCs VHS, present a classic illustration of the value of standards.90 As
the two companies jostled for market share, confusion among vendors,
video shop rentals, and customers followed.91 Vendors manufactured VCRs
in one or both formats and rental shops stocked two copies of each movie
titlea waste of resources in addition to dual research and development and
84.Id. at 12.
85.See ITUIoT, supra note 44, at 3.
86.Vermesan et al., supra note 19, at 12.
87.See ITUIoT, supra note 44, at 3.
88.See STRATEGY ANALYTICS, supra note 3.
89.oneM2M, supra note 39, at 2.
90.See Andrew Updegrove, The Essential Guide to Standards: What (and Why) Is an SSO?,
CONSORTIUMINFO (2007), http://www.consortiuminfo.org/essentialguide/whatisansso.php
[https://perma.cc/3WJD-5BLX].
91. Id.
1010 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
marketing by Sony and JVC.92 The ambiguity also stunted the growth of
the entire VCR ecosystem.93 VHS eventually prevailed over Betamax even
though many believed that the latter was a technologically superior
product.94 A standard in VCR technology from the start would have limited
inefficiencies and propelled the growth of related industries.95 Further, if
the standard had emerged from collaboration between competitors in a
standards organization, they could have pooled their knowhow to produce
something even technologically superior.
IoT platforms are currently highly fragmented.96 The current lack of
standards remains a significant hurdle to unlocking significant economic
value from IoT.97 Like during the VCR standards battle, vendors and end
users could be delaying investmentseven though they see value in using
IoTbecause they fear making irreversible investments in the standard that
loses out in the end. This problem is particularly acute in a system such as
smart meters, where it takes twenty to thirty years to recoup initial
investment outlays.98 Utility service providers will, therefore, need
assurances that network interfaces will be stable and device software will be
manageable and upgradable. More broadly, standards that provide common
service layer capabilities and open interfaces will help reduce investments,
time-to-market, development and on-boarding costs, and facilitate
management of devices and applications.99 In order for IoT to become
ubiquitous, applications should be abstracted from the underlying access
networks and technologies, which will require interoperability between
devices, platforms, data formats, protocols, and applications.100 Standards
will, thus, enhance scalability and flexibility in IoT applications.101
Indirect network effects are at play in the IoT market; that is, the more
widely end users adopt a companys platform, the more vendors and
developers are drawn to the platform and vice versa. In such a market, a
company that eventually owns the dominant platform will obtain a
tremendous monopoly advantage. Given the likely exponential growth of
the IoT market, the potential rewards are, thus, astronomical. However,
92. Id.
93. Sangin Park, Quantitative Analysis of Network Externalities in Competing
Technologies: The VCR Case, 86 REV. ECON. & STATISTICS 937, 939 (2004).
94. Updegrove, supra note 90.
95. See Park, supra note 93, at 939.
96. See oneM2M, supra note 39, at 13.
97. See id. at 2; Walport, supra note 50, at 8, 16.
98. See oneM2M, supra note 39, at 6.
99. Id. at 6.
100. Id.
101. See id.
2006] INTERNET OF THINGS 1011
102. Stanley M. Besen & Joseph Farrell, Choosing How to Compete: Strategies and
Tactics in Standardization, 8 J. ECON. PERSPECTIVES 2, 12129 (1994).
103. See id. at 122; NEST, supra note 4; Jennifer Booton, IBM Launches Internet of
Things Division, MARKETWATCH (Sept. 14, 2015), http://www.marketwatch.com/story/
ibm-launches-internet-of-things-division-2015-09-14 [https://perma.cc/5ZWG-XXCV];
Stacey Higginbotham, AT&T's Plan for the Internet of Things Goes Way Beyond the Network,
FORTUNE (Sept. 15, 2015), http://fortune.com/2015/09/15/att-internet-of-things
[https://perma.cc/5W97-HFA8].
104. See Besen & Farrell, supra note 102, at 12223; Aaron Tilley, Intel Releases New
Platform to Kickstart Development in the Internet of Things, FORBES (Dec. 9, 2014),
http://www.forbes.com/sites/aarontilley/2014/12/09/intel-releases-new-platform-to-kickstart
-development-in-the-internet-of-things/#614684fc1028 [https://perma.cc/2VN3-EE8S].
105. See Besen & Farrell, supra note 102, at 12324.
106. Orange Deploys a Network for the Internet of Things, ORANGE (Sept. 18, 2015),
http://www.orange.com/en/Press-and-medias/press-releases-2016/press-releases-2015/
Orange-deploys-a-network-for-the-Internet-of-Things [https://perma.cc/9KLP-EF4V].
107. Colin Neagle, A Guide to the Confusing Internet of Things Standards World,
NETWORK WORLD (July 21, 2014), http://www.networkworld.com/article/2456421/
1012 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
internet-of-things/a-guide-to-the-confusing-internet-of-things-standards-world.html
[https://perma.cc/TKQ5-RW6H].
108. Id. While opening its platform to the open source community for collaboration,
the OIC has expressed distrust with Qualcomms intentions. Id. Similarly, Qualcomm has
publicly denounced OICs spurn of its platform. Id.
109. See id.
110. Christopher Null, The State of IoT Standards: Stand By for the Big Shakeout,
TECHBEACON (Sept. 2, 2015), http://techbeacon.com/state-iot-standards-stand-big
-shakeout [https://perma.cc/QA42-DK6R].
111. See Robert S. Sutor, Open Source vs. Open Standards, http://www.sutor.com/c/
essays/osvsos [https://perma.cc/7W45-7E22].
112. See Direct Marketing Association, Comment Letter on FTC Seeking Input on
Privacy and Security Implications of the Internet of Things, 2 (June 1, 2013),
https://www.ftc.gov/policy/public-comments/comment-00010-2 [https://perma.cc/KN2F
-GJE2].
2006] INTERNET OF THINGS 1013
121. Id. at 128 (explaining that [a]ccuracy, however, is really not the problem with
Internet of Things sensor data . . . What is more questionable are the inferences drawn
from such data. The FCRA does not reach those inferences, however. It applies to the
underlying inputs into a credit, insurance, or employment determination, not the
reasoning that a bank, insurer, or employer then makes based on those inputs.).
122. Id. at 127.
123. Id. at 12425.
124. Id. at 12931.
125. Id. at 132.
126. Id. at 129.
127. Id.
128. Id.
129. Id. at 13233. For a more in-depth discussion of data breaches and security breach
notification laws, see Yasmine Agelidis, Note, Protecting the Good, the Bad, and the Ugly:
Exposure Data Breaches and Suggestions for Coping with Them, 31 BERKELEY TECH. L.J.
1057 (2016).
130. Id.
2006] INTERNET OF THINGS 1015
B. SECURITY
Increased reliance upon IoT heightens both the risk of data breaches
and physical harm to users of IoT systems or devices.131 Each additional IoT
device represents another point of vulnerability for intruders to access
information.132 A connected device can be an entry point for an attack on
an entire network or other connected systems.133 As a case-in-point from a
non-IoT system, during the theft of forty million credit card numbers and
infiltration of Targets computer system in 2013, attackers exploited security
flaws in a contractors computer system that was connected to Targets
computer system for the purposes of electronic billing, contract
submission, and project management.134 Further, IoT can pose a direct
threat to peoples physical safety through manipulation of device functions
or tracking of users location.135 As examples, a hacker once exploited
vulnerabilities of a baby monitoring device to shout at a sleeping toddler,
and a group of researchers were able to control the steering and braking of
a connected car by hacking it remotely.136
In addition to security risks emerging from communication links and
storage infrastructure, IoT devices are inherently vulnerable for many
reasons. First, manufacturers of these devicesprimarily consumer goods
companiesare inexperienced in data security issues relative to software or
hardware firms.137 Second, the devices compact form and low battery life
do not lend themselves to the high processing power that is needed for
robust security measures such as encryption.138 Third, it is hard to
periodically update or patch these devices with security fixes, thereby
exposing them to threats not existing or contemplated at the time of their
manufacture.139
131. See Jim Snell & Christian Lee, The Internet of Things Changes Everything, or Does
It?, 32 COMPUTER & INTERNET LAWYER 2 (2015).
132. FTC, supra note 68, at 11.
133. Id. at 1112.
134. Paul Ziobro, Target Breach Began with Contractors Electronic Billing Link, WALL
ST. J. (Feb. 6, 2014), http://www.wsj.com/articles/SB10001424052702304450904579367
391844060778 [https://perma.cc/ZJ8H-SCRR].
135. FTC, supra note 68, at 1213.
136. Andy Greenberg, How Hackable is Your Car? Consult This Handy Chart, WIRED
(Aug. 6, 2014), http://www.wired.com/2014/08/car-hacking-chart [https://perma.cc/
G5P3-E2A2]; Home, Hacked Home: The Perils of Connected Devices, ECONOMIST (July 12,
2014), http://www.economist.com/news/special-report/21606420-perils-connected-devices
-home-hacked-home [https://perma.cc/E9DZ-E38F].
137. Peppet, supra note 115, at 135.
138. Id.
139. Id. at 13536.
1016 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
security measures at all levels, for instance, using data encryption in both
transit and storage, instead of relying on consumers passwords.151 It also
recommends using strong authentication to permit IoT devices to interact
with other IoT devices and systems while not unduly hindering the devices
usability, monitoring products through the life cycle, providing security
updates, and patching known vulnerabilities after the sale of the devices.152
Data minimization encompasses reasonable limits on both collection
and retention of data.153 The FTC report also advocates a privacy-by-design
approach whereby the company evaluates its data needswhat types of
data it is collecting, to what end, and how long it should be stored.154 It
also recommends considering whether a company can provide the same
services with less granular data, for example, using zip codes instead of
precise geographical location.155 When de-identification is possible and de-
identified data serves business needs, the report suggests that companies
maintain data in de-identified form and publicly commit to not re-identify
data.156 At the same time, it acknowledges the importance of maintaining
flexibility in the data minimization framework so as not to foreclose future
innovations based on data they do not use today.157
The notice and choice framework advocated by the FTC allows a
company to collect sensitive personal information with the express consent
of consumers.158 However, such consent is not required if data can be
effectively and immediately de-identified, or if its collection and use is
consistent with the context of a transaction or the relationship between the
company and the customer.159 To illustrate, a smart oven vendor that also
offers an app to turn the oven on remotely and specify its temperature need
not seek consumers consent to use oven-usage information to improve the
sensitivity of the ovens sensors or recommend related products to
consumers.160 On the contrary, the vendor would need consumers consent
to sell this data to a data broker or an advertisement network.161 The report
refrains from embracing a full use-based framework not in the least because
151. Id.
152. Id. at 3132.
153. Id. at 3334.
154. Id. at 36.
155. Id.
156. Id. at 3637.
157. Id. at 3839.
158. Id. at 3940.
159. Id. at 40, 43.
160. Id. at 4041.
161. Id.
1018 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
173. Id.
174. See In the Matter of TRENDnet, Inc., 122 F.T.C. 3090 (Feb. 7, 2014) (FTC
complaint), https://www.ftc.gov/system/files/documents/cases/140207trendnetcmpt.pdf
[https://perma.cc/LVV6-VPYD]; PRESS RELEASE, MARKETER OF INTERNET
-CONNECTED HOME SECURITY VIDEO CAMERAS SETTLES FTC CHARGES IT FAILED TO
PROTECT CONSUMERS PRIVACY, FED. TRADE COMMISSION (Sept. 4, 2013), https://www
.ftc.gov/news-events/press-releases/2013/09/marketer-internet-connected-home-security
-video-cameras-settles [https://perma.cc/B5HH-BK47].
175. FED. TRADE COMMISSION, Press Release, supra note 174.
176. Id.
177. Id.
178. See Peppet, supra note 115, at 13739.
179. See FTC, supra note 68, at 4852.
180. Id.
181. Id.
182. See Article 29 Data Protection Working Party, supra note 49.
1020 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR
191. Michael Katz & Carl Shapiro, Systems Competition and Network Effects, 8 J.
ECON. PERSPECTIVES 2, 95 (1994).
1022 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 31:AR